Skip to content
Draft
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
63 changes: 63 additions & 0 deletions SPECS/telegraf/CVE-2026-58207.patch
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
From b9842abe9b95268ed25be7d0429a43bb3413a263 Mon Sep 17 00:00:00 2001
From: Maurice van Veen <github@mauricevanveen.com>
Date: Thu, 18 Jun 2026 10:59:49 +0200
Subject: [PATCH] Connz/Subsz pagination panic on Offset+Limit integer overflow

Signed-off-by: Maurice van Veen <github@mauricevanveen.com>
Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
Upstream-reference: https://github.com/nats-io/nats-server/commit/894d9411927681d66ce349bf1afe49608dc0c1a3.patch
---
.../nats-io/nats-server/v2/server/monitor.go | 28 ++++---------------
1 file changed, 6 insertions(+), 22 deletions(-)

diff --git a/vendor/github.com/nats-io/nats-server/v2/server/monitor.go b/vendor/github.com/nats-io/nats-server/v2/server/monitor.go
index 3da0930d..96793902 100644
--- a/vendor/github.com/nats-io/nats-server/v2/server/monitor.go
+++ b/vendor/github.com/nats-io/nats-server/v2/server/monitor.go
@@ -506,18 +506,10 @@ func (s *Server) Connz(opts *ConnzOptions) (*Connz, error) {
sort.Sort(sort.Reverse(byRTT{pconns}))
}

- minoff := c.Offset
- maxoff := c.Offset + c.Limit
-
- maxIndex := totalClients
-
// Make sure these are sane.
- if minoff > maxIndex {
- minoff = maxIndex
- }
- if maxoff > maxIndex {
- maxoff = maxIndex
- }
+ maxIndex := totalClients
+ minoff := min(max(c.Offset, 0), maxIndex)
+ maxoff := minoff + min(c.Limit, maxIndex-minoff)

// Now pare down to the requested size.
// TODO(dlc) - for very large number of connections we
@@ -1019,18 +1011,10 @@ func (s *Server) Subsz(opts *SubszOptions) (*Subsz, error) {
sub.client.mu.Unlock()
i++
}
- minoff := sz.Offset
- maxoff := sz.Offset + sz.Limit
-
- maxIndex := i
-
// Make sure these are sane.
- if minoff > maxIndex {
- minoff = maxIndex
- }
- if maxoff > maxIndex {
- maxoff = maxIndex
- }
+ maxIndex := i
+ minoff := min(max(sz.Offset, 0), maxIndex)
+ maxoff := minoff + min(sz.Limit, maxIndex-minoff)
sz.Subs = details[minoff:maxoff]
sz.Total = len(sz.Subs)
} else {
--
2.45.4

90 changes: 90 additions & 0 deletions SPECS/telegraf/CVE-2026-58208.patch
Original file line number Diff line number Diff line change
@@ -0,0 +1,90 @@
From cd3fe2220270483a9b20abc65e4329b7a9cfb52a Mon Sep 17 00:00:00 2001
From: Maurice van Veen <github@mauricevanveen.com>
Date: Thu, 18 Jun 2026 08:54:11 +0200
Subject: [PATCH] WebSocket /mqtt upgrade panics when MQTT is disabled

Signed-off-by: Maurice van Veen <github@mauricevanveen.com>
Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
Upstream-reference: https://github.com/nats-io/nats-server/commit/73b3dd9a5ea0fa7bf08b702338676355b29b5fb4.patch
---
plugins/outputs/websocket/websocket_test.go | 50 +++++++++++++++++++
.../nats-server/v2/server/websocket.go | 5 ++
2 files changed, 55 insertions(+)

diff --git a/plugins/outputs/websocket/websocket_test.go b/plugins/outputs/websocket/websocket_test.go
index 98289055..ea5b181b 100644
--- a/plugins/outputs/websocket/websocket_test.go
+++ b/plugins/outputs/websocket/websocket_test.go
@@ -221,3 +221,53 @@ func TestWebSocket_Close(t *testing.T) {
// Check no error on second close.
require.NoError(t, w.Close())
}
+
+func TestWSUpgradeMQTTOnlyWhenEnabled(t *testing.T) {
+ for _, test := range []struct {
+ name string
+ mqttPort int
+ path string
+ kind int
+ err string
+ }{
+ {"mqtt disabled rejects /mqtt", 0, mqttWSPath, 0, "mqtt websocket endpoint not enabled"},
+ {"mqtt enabled allows /mqtt", -1, mqttWSPath, MQTT, _EMPTY_},
+ {"mqtt disabled allows client path", 0, "/", CLIENT, _EMPTY_},
+ } {
+ t.Run(test.name, func(t *testing.T) {
+ opts := testWSOptions()
+ opts.MQTT.Port = test.mqttPort
+ s := &Server{opts: opts}
+ s.wsSetOriginOptions(&opts.Websocket)
+
+ rw := &testResponseWriter{}
+ req := testWSCreateValidReq()
+ req.URL = &url.URL{Path: test.path}
+ res, err := s.wsUpgrade(rw, req)
+
+ if test.err != _EMPTY_ {
+ if err == nil || !strings.Contains(err.Error(), test.err) {
+ t.Fatalf("Expected error %q, got %v", test.err, err)
+ }
+ if res != nil {
+ t.Fatalf("Should not have returned a result, got %v", res)
+ }
+ expected := fmt.Sprintf("%v%s\n", http.StatusNotFound, http.StatusText(http.StatusNotFound))
+ if got := rw.buf.String(); got != expected {
+ t.Fatalf("Expected response %q, got %q", expected, got)
+ }
+ return
+ }
+
+ if err != nil {
+ t.Fatalf("Unexpected error: %v", err)
+ }
+ if res == nil {
+ t.Fatal("Expected an upgrade result, got nil")
+ }
+ if res.kind != test.kind {
+ t.Fatalf("Expected upgrade kind %v, got %v", test.kind, res.kind)
+ }
+ })
+ }
+}
diff --git a/vendor/github.com/nats-io/nats-server/v2/server/websocket.go b/vendor/github.com/nats-io/nats-server/v2/server/websocket.go
index 1804b4de..f5c45aed 100644
--- a/vendor/github.com/nats-io/nats-server/v2/server/websocket.go
+++ b/vendor/github.com/nats-io/nats-server/v2/server/websocket.go
@@ -720,6 +720,11 @@ func (s *Server) wsUpgrade(w http.ResponseWriter, r *http.Request) (*wsUpgradeRe

opts := s.getOpts()

+ // Reject MQTT-over-WebSocket upgrades unless MQTT is enabled.
+ if kind == MQTT && opts.MQTT.Port == 0 {
+ return nil, wsReturnHTTPError(w, r, http.StatusNotFound, "mqtt websocket endpoint not enabled")
+ }
+
// From https://tools.ietf.org/html/rfc6455#section-4.2.1
// Point 1.
if r.Method != "GET" {
--
2.45.4

50 changes: 50 additions & 0 deletions SPECS/telegraf/CVE-2026-58209.patch
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
From 79480a2bfcd7b77490cffebee3a93c38437d735d Mon Sep 17 00:00:00 2001
From: Maurice van Veen <github@mauricevanveen.com>
Date: Thu, 18 Jun 2026 09:28:23 +0200
Subject: [PATCH] MQTT subscribe deny not enforced on retained/QoS replay paths

Signed-off-by: Maurice van Veen <github@mauricevanveen.com>
Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
Upstream-reference: https://github.com/nats-io/nats-server/commit/1c429b6fdc5afd4188cc5faf1127f6334896cd87.patch
---
.../nats-io/nats-server/v2/server/mqtt.go | 17 +++++++++++++++++
1 file changed, 17 insertions(+)

diff --git a/vendor/github.com/nats-io/nats-server/v2/server/mqtt.go b/vendor/github.com/nats-io/nats-server/v2/server/mqtt.go
index f5ef29e6..637d682c 100644
--- a/vendor/github.com/nats-io/nats-server/v2/server/mqtt.go
+++ b/vendor/github.com/nats-io/nats-server/v2/server/mqtt.go
@@ -2671,6 +2671,13 @@ func (as *mqttAccountSessionManager) serializeRetainedMsgsForSub(rms map[string]
// calling serialize.
continue
}
+ // A broad wildcard subscription can overlap a subscribe deny clause.
+ c.mu.Lock()
+ denied := c.mperms != nil && c.checkDenySub(string(subj))
+ c.mu.Unlock()
+ if denied {
+ return
+ }
var pi uint16
qos := mqttGetQoS(rm.Flags)
if qos > sub.mqtt.qos {
@@ -4702,6 +4709,16 @@ func mqttDeliverMsgCbQoS12(sub *subscription, pc *client, _ *Account, subject, r
return
}

+ // A broad wildcard subscription can overlap a subscribe deny clause.
+ cc.mu.Lock()
+ denied := cc.mperms != nil && cc.checkDenySub(strippedSubj)
+ cc.mu.Unlock()
+ if denied {
+ sess.mu.Unlock()
+ sess.jsa.sendAck(reply)
+ return
+ }
+
pi, dup := sess.trackPublish(sub.mqtt.jsDur, reply)
sess.mu.Unlock()

--
2.45.4

52 changes: 52 additions & 0 deletions SPECS/telegraf/CVE-2026-58250.patch
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
From 68e1bb6d032212721828564e7cce5c5073fc3486 Mon Sep 17 00:00:00 2001
From: Daniele Sciascia <daniele@nats.io>
Date: Fri, 17 Apr 2026 18:20:29 +0200
Subject: [PATCH] Prevent pre-auth leafnode INFO nil derefs

Inbound leaf connections can process INFO before CONNECT during
compression negotiation. A second INFO in that state could still
reach paths that assume c.acc or c.leaf.remote are set and panic.

Reject those cases with an authorization violation instead,
and add a regression test for the double-INFO sequence.

Signed-off-by: Daniele Sciascia <daniele@nats.io>
Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
Upstream-reference: https://github.com/nats-io/nats-server/commit/fc5fe39177533e9dbdd651d2458285bfae1dde27.patch
---
.../nats-io/nats-server/v2/server/leafnode.go | 12 ++++++++++++
1 file changed, 12 insertions(+)

diff --git a/vendor/github.com/nats-io/nats-server/v2/server/leafnode.go b/vendor/github.com/nats-io/nats-server/v2/server/leafnode.go
index 652ec5d1..e775bd4b 100644
--- a/vendor/github.com/nats-io/nats-server/v2/server/leafnode.go
+++ b/vendor/github.com/nats-io/nats-server/v2/server/leafnode.go
@@ -1346,6 +1346,12 @@ func (c *client) processLeafnodeInfo(info *Info) {

// Check if we have the remote account information and if so make sure it's stored.
if info.RemoteAccount != _EMPTY_ {
+ if c.acc == nil {
+ c.mu.Unlock()
+ c.sendErr("Authorization Violation")
+ c.closeConnection(ProtocolViolation)
+ return
+ }
s.leafRemoteAccounts.Store(c.acc.Name, info.RemoteAccount)
}
c.mu.Unlock()
@@ -2997,6 +3003,12 @@ func (s *Server) leafNodeFinishConnectProcess(c *client) {
return
}
remote := c.leaf.remote
+ if remote == nil || c.acc == nil {
+ c.mu.Unlock()
+ c.sendErr("Authorization Violation")
+ c.closeConnection(ProtocolViolation)
+ return
+ }
// Check if we will need to send the system connect event.
remote.RLock()
sendSysConnectEvent := remote.Hub
--
2.45.4

64 changes: 64 additions & 0 deletions SPECS/telegraf/CVE-2026-58251.patch
Original file line number Diff line number Diff line change
@@ -0,0 +1,64 @@
From 846ebad87c005299a27409ef9b288dacac90a2de Mon Sep 17 00:00:00 2001
From: Daniele Sciascia <daniele@nats.io>
Date: Fri, 27 Mar 2026 15:03:22 +0100
Subject: [PATCH] Prevent queue subscriptions from bypassing plain subject
denies

A user with a list containing both plain and queue subscribe
permissions, could be allowed to create subscriptions that
should have been denied. For example:

```
permissions: {
subscribe: { allow: ">", deny: ["admin.>", "> restricted"] }
}
```

`SUB admin.secret workers 1` should be denied because of the
`admin.>` deny rule. However, because the queue deny check did
not match, the earlier deny was incorrectly overwritten.
The fix ensures that queue subscriptions are denied as soon
as one of the deny rules applies.

Signed-off-by: Daniele Sciascia <daniele@nats.io>
Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
Upstream-reference: https://github.com/nats-io/nats-server/commit/79c2f6e9ff87f594596337b6427dda85c38d1fe1.patch
---
plugins/inputs/ecs/client_test.go | 7 +++++++
vendor/github.com/nats-io/nats-server/v2/server/client.go | 2 +-
2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/plugins/inputs/ecs/client_test.go b/plugins/inputs/ecs/client_test.go
index 71974031..d1e57cf4 100644
--- a/plugins/inputs/ecs/client_test.go
+++ b/plugins/inputs/ecs/client_test.go
@@ -301,6 +301,13 @@ func TestResolveStatsURL(t *testing.T) {
ver: 3,
exp: "http://169.254.170.2/v3/metadata/task/stats",
},
+ {
+ name: "plain sub deny bypassed by queue deny rules",
+ perms: &SubjectPermission{Allow: []string{">"}, Deny: []string{"admin.>", "> restricted"}},
+ subject: "admin.secret",
+ queue: "workers",
+ want: "-ERR 'Permissions Violation for Subscription to \"admin.secret\" using queue \"workers\"'\r\n",
+ },
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
diff --git a/vendor/github.com/nats-io/nats-server/v2/server/client.go b/vendor/github.com/nats-io/nats-server/v2/server/client.go
index cd24cc8b..4bd67688 100644
--- a/vendor/github.com/nats-io/nats-server/v2/server/client.go
+++ b/vendor/github.com/nats-io/nats-server/v2/server/client.go
@@ -3004,7 +3004,7 @@ func (c *client) canSubscribe(subject string, optQueue ...string) bool {
r := c.perms.sub.deny.Match(subject)
allowed = len(r.psubs) == 0

- if queue != _EMPTY_ && len(r.qsubs) > 0 {
+ if allowed && queue != _EMPTY_ && len(r.qsubs) > 0 {
// If the queue appears in the deny list, then DO NOT allow.
allowed = !queueMatches(queue, r.qsubs)
}
--
2.45.4

47 changes: 47 additions & 0 deletions SPECS/telegraf/CVE-2026-58252.patch
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
From 1142a8ea87c2f123dc095b55e7c0bad452dee196 Mon Sep 17 00:00:00 2001
From: Daniele Sciascia <daniele@nats.io>
Date: Fri, 27 Mar 2026 13:09:24 +0100
Subject: [PATCH] Enforce subscription deny on overlapping subjects

Method `client.canSubscribe` used `subjectIsSubsetMatch`
to determine if a subscription deny filter should be set on
a given subject. That missed overlapping wildcard patterns
such as "*.secret" and "foo.*", allowing denied messaged
to be delivered. A subscription to "foo.*" could deliver
denied messages on "foo.secret".
The fix replaces `subjectIsSubsetMatch` with `SubjectsCollide`,
which detects arbitrary intersections between wildcard
subjects.

Signed-off-by: Daniele Sciascia <daniele@nats.io>
Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
Upstream-reference: https://github.com/nats-io/nats-server/commit/e611ca9604697b02d8f22beb76037400a9cf72e6.patch
---
vendor/github.com/nats-io/nats-server/v2/server/client.go | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/vendor/github.com/nats-io/nats-server/v2/server/client.go b/vendor/github.com/nats-io/nats-server/v2/server/client.go
index 4bd67688..97136bab 100644
--- a/vendor/github.com/nats-io/nats-server/v2/server/client.go
+++ b/vendor/github.com/nats-io/nats-server/v2/server/client.go
@@ -3010,13 +3010,14 @@ func (c *client) canSubscribe(subject string, optQueue ...string) bool {
}

// We use the actual subscription to signal us to spin up the deny mperms
- // and cache. We check if the subject is a wildcard that contains any of
+ // and cache. We check if the subject is a wildcard that intersects any of
// the deny clauses.
// FIXME(dlc) - We could be smarter and track when these go away and remove.
if allowed && c.mperms == nil && subjectHasWildcard(subject) {
- // Whip through the deny array and check if this wildcard subject is within scope.
+ // Whip through the deny array and check if this wildcard subject can
+ // overlap with any denied deliveries.
for _, sub := range c.darray {
- if subjectIsSubsetMatch(sub, subject) {
+ if SubjectsCollide(sub, subject) {
c.loadMsgDenyFilter()
break
}
--
2.45.4

Loading
Loading